A Probabilistic Method for Certification of Analytically Redundant Systems

Transcription

1 A Probabilistic Method for Certification of Analytically Redundant Systems Bin Hu and Peter Seiler Abstract Analytical fault detection algorithms have the potential to reduce the size, power and weight of fault tolerant safety-critical aerospace systems. One obstacle is the need for appropriate tools to certify the reliability of these systems. To complement high fidelity Monte Carlo simulations, this paper presents a theoretical method to assess the probabilistic performance of analytically redundant systems. Specifically, this paper considers a dual-redundant fault tolerant system that uses a fault detection algorithm to switch between the hardware components. The exact system failure rate per hour is computed using the law of total probability. The analysis assumes known failure models for the hardware components as well as knowledge of the probabilistic performance of the fault detection logic. A numerical example is provided to demonstrate the proposed method. I. INTRODUCTION Commercial flight control electronics typically satisfy reliability and safety requirements of no more than 10 9 catastrophic failures per flight hour [3], [5]. Therefore, fault tolerance is introduced to enable continued operation in the event of a component failure. Fault tolerance is currently achieved mainly through the use of physically redundant components. For example, the Boeing 777 flight control electronics consists of multiple redundant computing modules, actuators, and sensors [21]. Physically redundant architectures are reliable but they increase the system size, weight, power, and cost. In addition, these architectures are impractical for smaller unmanned aerial vehicles which cannot carry the associated payload. As a result, there have been efforts to develop analytical redundancy as an alternative approach to achieve fault tolerance, e.g. the oscillatory monitors on the Airbus A380 [8]. Model-based fault detection and isolation (FDI) is one method to realize analytical redundancy. This technique has applications which span most disciplines of engineering [12] and a thorough treatment can be found in standard references [4], [11], [6]. The recent AddSafe project in Europe [1] dealt with the future green aircraft and assessed the suitability of these more advanced fault detection methods for optimizing the aircraft design. There are several issues that must be addressed before analytical redundancy finds general acceptance for aerospace applications. One issue is the need to certify the reliability of an analytically redundant system with aviation authorities, e.g. the Federal Aviation Administration or European Aviation Safety Agency. In particular, it must be possible to assess and certify the system reliability. In a physically redundant configuration, a failed component is detected by Bin Hu and Peter Seiler are with the Aerospace Engineering and Mechanics Department, University of Minnesota, huxxx221@umn.edu; seiler@aem.umn.edu. directly comparing the behavior of each redundant component. Hence, these architectures detect faults accurately and their performance can be certified using fault trees and known hardware component failure rates [14], [13]. Systems that use analytical redundancy, on the other hand, depend on the fault detection algorithm as well as the hardware component failure rates. Thus different tools are required to assess the reliability of analytically redundant systems. The extended fault tree technique has been proposed to assess the reliability of an analytically redundant system [2], [9]. In this work, the fault detection performance involves missed detections and false alarms that occur at the system sample rate. The system failure rate per sample frame is computed by characterizing false alarms and missed detections as basic events that are incorporated into a fault tree. However, the safety requirements are typically specified over longer time periods, e.g. per hour [3], [5]. The possible failure of the entire system at different time steps introduces time correlations which should be addressed properly. The main contribution of this paper is a mathematical framework to efficiently compute the system failure rate per hour of an analytically redundant system. The framework proposed here builds on the prior work in [2], [9] by incorporating various time scales. The method is described for a simple dual-redundant sensor configuration with a fault detection scheme, as formulated in Section II. The system failure rate per hour is exactly computed using probabilistic models of the fault detection performance and the hardware component failures (Section III). Finally, a numerical example is presented to demonstrate the utility of the proposed approach (Section IV). The proposed approach is complementary to Monte Carlo simulations. In particular, the Monte Carlo method is a practical solution to assess system performance via simulations on a high fidelity model [17]. A potential drawback is that the failure rate for safety critical systems is designed to be very low. Thus a large number of Monte Carlo simulations may be required to draw statistically meaningful conclusions. The proposed mathematical analysis provides an efficient method to exactly compute the system reliability. In addition, the analysis provides additional insight into the various design choices. However the analysis requires specific assumptions about the failure models, operating conditions, etc. The use of both theoretical analysis and high fidelity simulations thus provides complementary benefits. This is similar to the current practice for flight control law validation [10], [16] which uses a mixture of high fidelity nonlinear simulations and exact analyses, e.g. gain/phase margins based on approximate linearized models.

2 II. DUPLEX SENSOR SYSTEM Consider a dual-redundant sensor system operating in discrete-time (Figure 1). At each sample time k, the duplex system attempts to generate a correct measurement ˆm(k) of a particular signal s(k) for use by a flight control algorithm. Fault tolerance is achieved by the combination of two sensors and a fault detection scheme. At each sample time the two sensors generate measurements m 1 (k) and m 2 (k) of the signal s(k). The measurement from the primary sensor is used in the absence of a detected fault. The system switches to the backup sensor once a fault is detected. The fault detection scheme is assumed to be an analytical method that relies on measurements that are independent of those generated by the primary and backup sensors. The objective is to assess the reliability of this duplex system. The duplex system shown in Figure 1 is simplified but captures the essential features of a more realistic redundant architecture. Fig. 1. A. Problem Formulation Duplex Sensor System A definition of reliability was established by the Technical Committee on Fault Detection, Supervision and Safety of Technical Processes [12]. Reliability is the ability of a system to perform a required function under stated conditions, within a given scope, and during a given period of time. Two aspects of this definition should be clarified for the duplex sensor system. First, the analysis in this paper is formulated in discrete-time. Hence the given period of time is a window of length N. Typical aerospace requirements are specified per hour and hence N may be large, e.g. N = samples per hour for a system with a 100 Hz sample rate. Second, the required function for the duplex system is to generate a correct measurement for use by a control law. The control laws and aircraft dynamics have low pass characteristics and thus a single bad sample may not lead to system failure. However, the continued use of incorrect data over multiple (N 0 ) time frames will eventually cause a failure. To summarize, the duplex system performs its required function as long as it does not generate bad data for N 0 consecutive steps. P S,N is defined as the probability that the system fails to perform this required function over an N-step window. The analysis requires models of the sensor components. Let θ i (k) 0, 1} denote the status of the i th sensor (i = 1, 2) at time k: θ i (k) = 0 if the i th sensor is operational at time k and θ i (k) = 1 if it has failed. It is assumed that once a sensor fails then it remains failed, i.e. intermittent failures are neglected. Due to this assumption it is possible to define a unique failure time T i for the i th sensor (i = 1, 2) as: k if θ T i = i (k 1) = 0 and θ i (k) = 1 (1) N + 1 if θ i (k) = 0 k N The notation T i = N + 1 corresponds to the case where the sensor remains functional during the entire N-step window. Reliability theory can be used to model the failure time of the sensors [18], [15]. In many applications, the mean time between failure (MTBF) can be estimated from field data. The analysis in this paper assumes the probability mass function P [T i = k] is known for both sensors i = 1, 2 and for all time k N + 1. Finally, it is assumed that T 1 and T 2 are independent. This assumption implies dissimilar sensors are used and hence common failure modes are neglected. This simplifies the notation and computation required for analysis. A similar approach to that presented in this paper can be used to incorporate the joint probability mass function of T 1 and T 2 for systems with correlated sensor failures. The probability of system failure P S,N also depends on the fault detection logic. The FDI scheme has a logic signal d(k) that indicates the status of the primary sensor at time k: d(k) = 1 if a fault has been detected and d(k) = 0 otherwise. The FDI logic switches immediately to the backup sensor once a fault is detected. Thus the logic selects the primary sensor, ˆm(k) = m 1 (k), if d(k) = 0 and it selects the backup sensor if d(k) = 1. It is assumed that once the fault detection logic switches to the backup sensor then it will continue using the backup. Logic that intermittently switches between sensors is not considered. Again, this assumption implies that it is possible to define a unique switching time T S as: k if d(k 1) = 0 and d(k) = 1 T S = (2) N + 1 if d(k) = 0 k N T S = N + 1 denotes the case where no fault is detected throughout the entire N-step window. The system can be in one of four states depending on the primary sensor status and the fault detection signal. These four states can be arranged in a confusion matrix [7] as shown in Table I. The entries of the confusion matrix depend on both the hardware and the FDI logic. The performance of the FDI logic alone is typically quantified by (singleframe) conditional probabilities of false alarm and detection. Specifically in [6], [20], the probability of false alarm at time k is defined as P [d(k) = 1 θ 1 (k) = 0]. Similarly, the probability of detection at time k is defined as P [d(k) = 1 θ 1 (k) = 1]. As shown in Section III, these single frame conditional probabilities are not sufficient to compute the system failure probability. Instead, computation of P S,N requires the FDI performance to be characterized across multiple time steps. The first FDI performance metric is P [T S N T 1 = N +1]. This is the conditional probability of a false alarm at some point in the N-step window given that the primary sensor remains operational. The second FDI performance metric is P [T S k + N 0 T 1 = k] defined for 1 k N. This is the conditional probability that the fault detection logic continues to use the primary sensor for at least N 0 steps after a failure at time k.

3 θ 1 (k) = 1 θ 1 (k) = 0 d(k) = 1 True Positive False Positive d(k) = 0 False Negative True Negative TABLE I CONFUSION MATRIX FOR FAULT DETECTION LOGIC In the notation defined above, the duplex system produces bad data at time k if the primary sensor is selected and failed (d(k) = 0 and θ 1 (k) = 1) or the backup sensor is selected and failed (d(k) = 1 and θ 2 (k) = 1). Thus the system failure probability P S,N can be formally defined as: Definition 1: P S,N is the probability that there exists k 0 N such that for each k k 0, k 0 + 1,..., k 0 + N 0 1} one of the following is true: 1) d(k) = 0 and θ 1 (k) = 1 2) d(k) = 1 and θ 2 (k) = 1 and the sensor i selected at time k 0 + N 0 1 has a failure time within the N-step window (T i N). By this definition, the system fails if it produces bad data for N 0 consecutive steps due to failures in the primary and/or backup sensor that occur within the N-step window. A system failure may occur due to a sequence of bad data beginning within the window (k 0 N) and ending outside the window (k 0 + N 0 1 > N). The required detection time N 0 is typically much smaller than the analysis window N. Hence the choice of whether or not to include these boundary events should have negligible effect on P S,N. Different assumptions regarding such boundary events can be handled with essentially notational changes. B. Specific Example As discussed above, the analysis in Section III only requires the following information: 1) Sensor Failure Model: P [T i = k] specified for i = 1, 2 and 1 k N. 2) FDI False Alarm: P [T S N T 1 = N + 1]. 3) FDI Missed Detection: P [T S k + N 0 T 1 = k] defined for 1 k N. This section briefly illustrates the notation in the context of a specific example. The example assumes sensor failures are governed by a geometric distribution and the FDI switching logic is independent and identically distributed (IID) in time. First, assume the failure time of each sensor has an identical continuous-time exponential distribution with parameter 1 λ = MT BF [15]. The continuous-time exponential distribution can be approximated using a discrete-time geometric distribution with parameter q := 1 e λ t where t is the sample time [19]. If the sensor is operational at k = 0 then it follows from the geometric distribution that the probability mass function for the sensor failures is given by: (1 q) P [T i = k] = k 1 q if 1 k N (1 q) N (3) if k = N + 1 Let P F := P [d(k) = 1 θ 1 (k) = 0] and P D := P [d(k) = 1 θ 1 (k) = 1] denote the (single-frame) probability of false alarm and detection. The multiple-frame FDI performance probabilities can be related to these single-frame probabilities due to the assumption of FDI logic being IID. First, P [T S N T 1 = N + 1] is the conditional probability that a fault is declared in the N step window given that the primary sensor remains operational. The set of sequences d(k)} N k=1 where d(k) = 1 for at least one k is complementary to the sequence where d(k) = 0 for 1 k N. Thus the multiple-frame false alarm probability can expressed in terms of the single frame probabilities as: P [T S N T 1 = N + 1] = 1 (1 P F ) N (4) Next, P [T S k+n 0 T 1 = k] is the conditional probability that a fault is not declared in the first k + N 0 1 time steps given that sensor 1 failed at time k. This corresponds to a true negative for the first k 1 steps followed by N 0 steps of false negatives. Thus this probability is expressed as: P [T S k + N 0 T 1 = k] = (1 P F ) k 1 (1 P D ) N0 (5) III. PROBABILISTIC ANALYSIS This section provides an exact expression for P S,N. The analysis relies on basic probability theory with the law of total probability as the main tool. An application of this law is the following statement: Let the events T 1 = k} N+1 k=1 form a disjoint partition of the sample space. Then the probability of any other event A can be expressed as: A. General Theory P [A] = Σ N+1 k=1 P [A T i = k]p [T i = k] (6) The dual redundant system fails to perform its required function if it generates bad data for N 0 consecutive steps. P S,N is the probability of the system failing to perform this function in an N-step window. There are four mutually exclusive events that lead to system failure: 1) Event M N : The primary sensor fails at some time k N and the fault detection logic fails to switch within N 0 frames. This is a missed detection, denoted M N. 2) Event F N : The primary sensor remains operational during the entire N-step window. The fault detection logic has a false alarm and switches to the backup sensor but the backup sensor fails within the N-step window. This event is a false alarm, denoted F N. 3) Event D N : The primary sensor fails at some time k N. The fault detection logic detects the failure within N 0 frames of the failure and correctly switches to the backup sensor. The backup sensor fails within the N- step window (either before or after the detected failure in the primary sensor). This event is a proper detection, denoted D N, but results from failure in both sensors. 4) Event E N : The primary fails at some time k N. The fault detection logic raises a false alarm prior to time k and switches to the backup sensor but the backup sensor fails within the N-step window. This event is an early false alarm, denoted E N.

4 The four events are mutually exclusive and hence: P S,N = P [M N ] + P [F N ] + P [D N ] + P [E N ] (7) The remainder of the section provides expressions for these four failure events. The first event is the missed detection M N. The probability of a missed detection event can be expressed as P [M N ] = P [T 1 N} T S T 1 + N 0 }]. Apply the law of total probability (Equation 6) to obtain: P [M N ] = Σ N k=1p [T S k + N 0 T 1 = k]p [T 1 = k] (8) The second event is the false alarm F N. The false alarm event can be specified as P [F N ] = P [T 1 = N + 1} T S N} T 2 N}]. The sensor failures are independent from each other. Moreover, the switching logic is independent of the backup sensor. Hence this probability is: P [F N ] =P [T S N T 1 = N + 1] P [T 1 = N + 1] P [T 2 N] (9) The third event D N involves a primary sensor failure and a true detection that causes a switch to the backup sensor. A failure of the backup sensor then leads to a system failure. Thus P [D N ] = P [T 1 N} T 1 T S < T 1 + N 0 } T 2 N}]. Similarly, the fourth event E N also involves a primary sensor failure but in this case a false alarm causes a switch to the backup sensor prior to the primary sensor failure. The probability of this event can be expressed as P [E N ] = P [T 1 N} T S < T 1 } T 2 N}]. The events D N and E N are mutually exclusive and combined as: P [D N ] + P [E N ] = (10) P [T 1 N} T S < T 1 + N 0 } T 2 N}] Apply the law of total probability to rewrite this as: P [D N ] + P [E N ] = (11) Σ N k=1p [T 1 = k} T S < T 1 + N 0 } T 2 N}] The sensor failures and the the switching logic are independent and hence this can be expressed as: P [D N ] + P [E N ] = (12) Σ N k=1p [T S < k + N 0 T 1 = k]p [T 1 = k]p [T 2 N] Finally, we can compute the total system failure probability (Equation 7) by combining the probabilities for the basic failure events (Equations 8, 9, and 12). This yields the following expression for the system failure probability: P S,N = Σ N k=1p [T S k + N 0 T 1 = k]p [T 1 = k] (13) + P [T S N T 1 = N + 1]P [T 1 = N + 1]P [T 2 N] + Σ N k=1p [T S < k + N 0 T 1 = k]p [T 1 = k]p [T 2 N] Computing this system failure probability only requires the information specified in Section II. Specifically, the system failure probability can be computed from Equation 13 as long as the sensor failure P [T i = k], FDI false alarm P [T S N T 1 = N + 1] and FDI missed detection P [T S k + N 0 T 1 = k] probabilities are all known. Moreover, it is not necessary for the FDI residuals to be Gaussian in order to compute these probabilities. B. Specific Example This section demonstrates the calculation of P S,N using the probabilities for the sensor and FDI performance (Equations 3-5) for the example in Section II-B. For this example the probabilities for the missed detection (Equation 8), false alarm (Equation 9), and combined detection / early false alarm (Equation 12) events can be computed as follows: P r[m N ] = q(1 P D ) 1 (1 P N0 F ) N (1 q) N (14) 1 (1 P F )(1 q) P r[f N ] = ( 1 (1 P F ) N ) (1 q) N P r[t 2 N] (15) P r[d N ] + P r[e N ] = (P r[t 1 N] P r[m N ]) P r[t 2 N] (16) where P r[t i N] = 1 (1 q) N (i = 1, 2) based on the geometric sensor failure model (Equation 3). The exact system failure probability P S,N is given by the sum of Equations This result can be simplified if further assumptions are made. If Nq 1 and NP F 1 both hold then the event probabilities in Equations can be approximated as: P r[m N ] Nq(1 P D ) N0 (17) P r[f N ] N 2 P F q(1 Nq) (18) P r[d N ] + P r[e N ] ( 1 (1 P D ) N0) (Nq) 2 (19) Next make the following definitions: ˆq := Nq, ˆPF := NP F and ˆP D := 1 (1 P D ) N0. Each of these definitions has a clear meaning. ˆq and ˆP F are the approximate sensor failure and false alarm probabilities per hour, respectively. ˆP D is the approximate conditional probability of detection of a fault within the N 0 step detection window. With this notation the system failure probability is approximated as: P S,N ˆq(1 ˆP D ) + ˆP D ˆq 2 + ˆP F ˆq(1 ˆq) (20) This approximation provides an intuition for the basic causes of system failure. The first term ˆq(1 ˆP D ) is due to a a missed detection of a failed primary sensor. ˆPD ˆq 2 accounts for the case where the FDI scheme detects a failed primary sensor but the backup sensor also fails. Finally, ˆPF ˆq(1 ˆq) refers to the case where the primary sensor is functioning, the FDI scheme triggers a false alarm and then the backup sensor fails. The approximation in Equation 20 can be used to incorporate missed detections and false alarms as basic events in the extended fault tree analysis as described in [2], [9]. These approximations are intuitive but only justified for geometric failure models, IID fault detection logic, N q 1, and NP F 1. If any of these assumptions fail then Equations should instead be used to compute P S,N. IV. APPLICATIONS This section provides a numerical example to demonstrate the proposed analysis method. The dual-redundant system is assumed to run at a 100Hz sample rate ( t = 0.01sec) with primary and back-up sensors that have a mean time between

5 failure of 1000 hours. This failure rate is approximated using a discrete-time geometric distribution with q = The system fails if it produces bad data for at least N 0 = 20 consecutive samples. The FDI logic is described in further detail below. The objective is to compute the probability of failure for the dual-redundant system, P S,N, using a window of length N = This corresponds to the per-hour system failure probability at the specified 100Hz sample rate. For comparison, note that the system failure rate per hour is 10 3 for a single-sensor architecture. For a triple-redundant architecture with simple hardware voting, the system will fail if any two of the three sensors fail. In this case the system failure rate per hour is approximately The system failure probability for the dual-redundant architecture with analytical FDI will be compared to these two extreme cases. The logic for monitoring the primary sensor is assumed to be a model-based FDI algorithm. A typical model-based FDI scheme is compromised of two parts: a filter that generates a residual r(k) and a decision function which determines the logic signal d(k) that indicates the status of the primary sensor. There are many approaches to design the FDI filter, e.g. observers, parity equations, parameter estimators, and robust filters [4], [11], [6]. The filter output, r(k), is a random variable and the objective is to design the filter to achieve a decoupling property: r(k) has zero mean when θ 1 (k) = 0 and non-zero mean when θ 1 (k) 0. For some filter designs, e.g. Kalman filters, the residual is uncorrelated in time. For these approaches it is reasonable to model r(k) as: r(k) = n(k) + θ 1 (k)f (21) where n(k) is an IID noise process and f is assumed to be an additive bias fault that occurs when the sensor fails (θ 1 (k) = 1). n(k) is assumed to be Gaussian with zero mean and variance σ 2. The decision logic generates the status signal d(k) based on r(k). Again, there are many different approaches to design the decision function, e.g. thresholding, statistical tests, and fuzzy logic [11], [6]. For simplicity, this example considers the use of a constant thresholding logic: 1 if r(j) > H for some j k d(k) := (22) 0 else In other words, a fault is declared when the residual magnitude exceeds the threshold H. Note that this decision logic does not have intermittent switching, i.e. d(k) remains at 1 once the residual exceeds the threshold. This fault detection logic is IID in time due to the given assumptions on r(k) and hence the system failure probability P S,N can be computed using the results in Section III-B. Recall the definition of the single-frame false alarm and detection probabilities: P F := P [d(k) = 1 θ 1 (k) = 0] and P D := P [d(k) = 1 θ 1 (k) = 1]. The residual is Gaussian at each time and hence: P F = 1 P D = 1 H H H H 1 2πσ e r2 2σ 2 dr (23) 1 2πσ e (r f)2 2σ 2 dr (24) These single-frame probabilities can be accurately and efficiently computed using the error function erf in Matlab. The system failure probability can be computed from the results in Section III for specific values of the residual variance σ 2, fault level f, and threshold H. First, the singleframe false alarm and detection probabilities are computed using Equations 23 and 24. The exact probabilities for the basic failure events can be computed from Equations using P F, P N, q, N 0, and N. There is no need to use the approximations (Equations 17-19) as the exact equations can be efficiently evaluated. Finally, the exact system probability is given by the sum of the basic failure event probabilities (Equation 7). These steps are equivalent to evaluating the general result in Equation 13. Finally, note that the single-frame FDI probabilities appear to depend independently on σ 2, f, and H. Equations 23 and 24 can be non-dimensionalized so that only the ratios H σ and f σ appear in the integrals. The remainder of the section considers the effect of H σ and f σ on P S,N. Figure 2 shows P S,N as a function of the normalized threshold H σ for three values of the normalized fault level f σ =1, 6, and 10. The vertical axis is a log-scale to highlight the changes in system performance as a function of the threshold. For small thresholds the system will rarely have a missed detection but will often trigger a false alarm. As a result, for sufficiently small thresholds the system has P S,N 10 3 for all fault levels, i.e. the duplex system has similar reliability to the single sensor architecture. For large thresholds the system will rarely have a false alarm but it will also frequently have missed detections when failures occur. Thus the duplex system also has similar reliability as the single sensor system for large thresholds. For intermediate values of the threshold, the system failure probability depends on the ratio of the fault to noise level. For large fault levels ( f σ = 10) the threshold can be chosen to achieve a system failure probability near This probabilistic performance is even better than that achieved by the triplex system. However, the analysis of the duplex system neglects some effects, e.g. failure modes in any additional sensors used to compute the residual, and hence this ideal performance is unlikely be achievable in practice. For smaller fault levels ( f σ = 6) the system failure probability is higher and there is a smaller range of thresholds that achieve P S,N near Finally, for small fault sizes relative to the noise ( f σ = 1) the system has P S,N > 10 3 for some thresholds, i.e. the performance of the duplex system is even worst than that achieved by a single sensor. The results shown in Figure 2 were generated with the exact formulas for P S,N but the approximations discussed in Section III-B provide some intuition for the f σ = 1 curve. Specifically, the approximation in Equation 20 can be expressed as: P S,N ˆq + ( ˆP F ˆP D )ˆq(1 ˆq) (25) If ˆPF ˆP D then P S,N ˆq. Thus the dual redundant system fails more often than a single sensor if the false alarm probability The results exceeds in Figure the detection 2 indicateprobability. the importance of proper f threshold selection. For a given fault level σ, let H ( f σ )

6 ACKNOWLEDGMENTS This work was supported by the National Science Foundation under Grant No entitled CPS: Embedded Fault Detection for Low-Cost, Safety-Critical Systems. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. This work was also supported by NASA under Grant No. NRA NNX12AM55A entitled Analytical Validation Tools for Safety Critical Systems Under Loss-of-Control Conditions. The authors also acknowledge Brian Taylor for helpful discussions on assessing the reliability of avionics. Fig. 2. P S,N vs. H σ for N = denote the threshold that minimizies P S,N. Figure 3 shows P S,N as a function of the fault level for the optimal threshold H and for H = 10σ. As expected, for any fault level the system failure probability is lower with H. For both curves P S,N decreases monotonically with increasing fault level. Figure 3 also shows the limits of performance for the specific residual-based FDI scheme. In particular, for small fault levels (f 2σ) the failure probability of the duplex system is similar to that of a single sensor system even if the optimal threshold is chosen. More advanced decision functions, e.g. likelihood ratio test, are required if the fault level is small relative to the noise. Fig. 3. P S,N vs. f for N = σ V. CONCLUSION This paper analyzed the reliability of a dual-redundant system with analytical fault detection logic. The system failure probability can be exactly computed provided that probabilistic information is known for sensor failures and fault detection performance. The proposed approach can be combined with Monte Carlo simulations to assess system reliability. An example was given to demonstrate the approach. This example assumed the FDI decisions are independent in time. Future work will consider intermittent faults and time correlations that arise due to fault detection filters. REFERENCES [1] ADDSAFE: Advanced fault diagnosis for sustainable flight guidance and control European 7th Framework Program. [2] Jan Aslund, Jonas Biteus, Erik Frisk, Mattias Krysander, and Lars Nielsen. Safety analysis of autonomous systems by extended fault tree analysis. International Journal of Adaptive Control and Signal Processing, 21(2-3): , [3] R.J. Bleeg. Commercial jet transport fly-by-wire architecture considerations. In AIAA/IEEE DASC, pages , [4] J. Chen and R.J. Patton. Robust Model-Based Fault Diagnosis for Dynamic Systems. Kluwer, [5] R.P.G. Collinson. Introduction to Avionic Systems. Kluwer, [6] S.X. Ding. Model-Based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools. Springer-Verlag, [7] T. Fawcett. An introduction to ROC analysis. Pattern Recognition Letters, 27: , [8] P. Goupil. Oscillatory failure case detection in the A380 electrical flight control system by analytical redundancy. Control Engineering Practice, 18(9): , [9] F. Gustafsson, J. Aslund, E. Frisk, M. Krysander, and L. Nielsen. On threshold optimization in fault-tolerant systems. In IFAC World Congress, [10] M. Heller, R. Niewoehner, and P. K. Lawson. On the validation of safety critical aircraft systems, part i: An overview of analytical and simulation method. In AIAA GNC Conf., [11] R. Isermann. Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance. Springer-Verlag, [12] R. Isermann and P. Ballé. Trends in the application of modelbased fault detection and diagnosis of technical processes. Control Engineering Practice, 5(5): , [13] M. Krasich. Use of fault tree analysis for evaluation of systemreliability improvements in design phase. IEEE Proc. Reliability and Maintainability Symposium, pages 1 7, [14] W.S. Lee, D.L. Grosh, A.F. Tillman, and C.H. Lie. Fault tree analysis, methods, and applications: a review. IEEE Trans. on Reliability, 34(3): , [15] M. Rausand and A. Hoyland. System Reliability Theory: Models, Statistical Methods, and Applications. Wiley-Interscience, [16] J. Renfrow, S. Liebler, and J. Denham. F-14 flight control law design, verification, and validation using computer aided engineering tools. In IEEE Conference on Control Applications, pages , [17] C.P. Robert and G. Casella. Monte Carlo Statistical Methods. Springer, [18] N. D. Singpurwalla. Reliability and Risk: A Bayesian Perspective. John Wiley & Sons, [19] T. J. Wheeler, P. Seiler, A. K. Packard, and G. J. Balas. Performance analysis of fault detection systems based on analytically redundant linear time-invariant dynamics. In Proceedings of the American Control Conference, pages , [20] A. S. Willsky and H. L. Jones. A generalized likelihood ratio approach to the detection and estimation of jumps in linear systems. IEEE Transactions on Automatic Control, 21: , [21] Y.C. Yeh. Safety critical avionics for the 777 primary flight controls system. In Proc. of the 20th DASC, pages 1.C C.2.11, 2001.